-
New security update candidate for the Xen package in XCP-ng!
Prompt feedback needed
So, a new patch of security patches were released for the Xen hypervisor that is at the core of XCP-ng. Updates candidates are available for XCP-ng 8.1 and in the making for XCP-ng 8.0.
What's being fixed
Mostly flaws allowing privileged guest processes may crash the host under certain conditions.
XCP-ng 8.1
- Update with
yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing - Reboot.
- Check that your host(s) still work (Spoiler: they will).
- Report here
- Receive our gratitude
XCP-ng 8.0
Coming soon
- Update with
-
@stormi Updated a D54250WYK / i5-4250U / 16GB / XCP-ng 8.1 fully patched
Host is indeed working and VMs started without any issues.
Will try on my new R720 later, but I am confident that it will work as well.
Nice work as always
Edit: Updated a Dell R720 / dual Intel Xeon CPU E5-2640 v2 / 128 GB / XCP-ng 8.1 fully patched as well. All good.
-
The bug/security patches upstream never seem to end. Seems like since April all you guys have had time for is this...
-
The update for XCP-ng 8.1 has now been pushed to the official updates repositories.
The update for XCP-ng 8.0 is now available for testing:
- Update with
yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing - Reboot.
- Check that your host(s) still work (Spoiler: they will).
- Report here
- Receive our gratitude
- Update with
-
New call for testing the XCP-ng 8.0 update candidate. I'd like to publish it today.
-
@stormi I tried insalling the 8.0 update with the command you have listed but nothing installs on the server
yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Excluding mirror: updates.xcp-ng.org * xcp-ng-base: mirrors.xcp-ng.org Excluding mirror: updates.xcp-ng.org * xcp-ng-testing: mirrors.xcp-ng.org Excluding mirror: updates.xcp-ng.org * xcp-ng-updates: mirrors.xcp-ng.org No packages marked for update -
I just pushed the update to the official updates repository. Maybe you installed it already, if you ran
yum update. -
-
@stormi Yup, I did just before trying to install the test update so I must have gotten it after you published. Everything seems to be working fine here afterward.
-
New security update
We'll push security updates for XCP-ng 8.1 before the end of the week, and for XCP-ng 8.0 as soon as possible.On 8.1, please test with:
yum clean all --enablerepo=xcp-ng-testing yum update kernel xapi-core xapi-tests xapi-xe xcp-networkd xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing rebootAs usual, the objective of the test is to confirm that everything still works as well as before the update.
I'll post a separate message when an update candidate is available for XCP-ng 8.0.
-
I have published the security updates for XCP-ng 8.1, so you can already update your hosts.
The blog post will be published a bit later, at the same time as the XCP-ng 8.0 update.
-
Updates pushed for XCP-ng 8.0, however there remain two CVEs that we couldn't fix, and since XCP-ng 8.0 will soon be EOL, we will probably not fix them: http://xenbits.xen.org/xsa/advisory-331.html and http://xenbits.xen.org/xsa/advisory-332.html
Users of XCP-ng 8.0 should review these and consider upgrading soon. The risk mostly depends on whether there's untrusted workload running in the VMs. If the risk is acceptable, you may wait for the XCP-ng 8.2 release in order to update directly to the LTS.
-
@stormi Updated my 8.0 test server and all seems to be working just fine so far.
-
Blog announcement published yesterday: https://xcp-ng.org/blog/2020/11/02/november-2020-security-updates/
-
New security update candidate - Another Intel CPU vulnerability
Security update candidates are available for testing for XCP-ng 8.1. They address the "Platypus" vulnerability.
Update with:
yum clean all --enablerepo=xcp-ng-testing yum update microcode_ctl xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testingFeedback welcome before the imminent broad release.
XCP-ng 8.0 will not receive fixes any more -
Update published. Blog post to follow soon.
Update: https://xcp-ng.org/blog/2020/11/17/security-update-for-platypus-side-channel-attack/
-
New security update candidate - - the third in one month
A vulnerability has been found in the patch that fixed a previous vulnerability. It may allow a privileged user in a guest VM with a PCI passthrough device to compromise the host.
Update candidates are available for XCP-ng 8.1 and 8.2:
yum clean all --enablerepo=xcp-ng-testing yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testingAnd reboot.
Please install them and report to confirm that everything is working as expected.
-
@stormi updated my three host playlab (8.2.0 fully patched) with no problem. Kicked around some VMs (starting, stopping, live migration, delete, restore from backup, snapshot) but no serious testing. Everything worked fine.
-
Thanks @gskger for the feedback. The update has been pushed on Wednesday evening and the blog post published yesterday: https://xcp-ng.org/blog/2020/11/26/security-and-bugfix-update-cve/
For XCP-ng 8.2, updates also include UEFI support fixes.
-
@stormi thank you as well for regulary pushing out security updates and bugfixes
. Makes me feel comfortable to have a solid virtualization environment (even with a non-commercial homelab) 
.
